ESR Group Limited Annual Report 202457STRATEGIC REPORTSCORPORATE GOVERNANCEFINANCIAL STATEMENTS1243IDENTIFY &PRIORITISEMONITOR &REPORTMANAGEWhat are thekey causes &consequencesof the risks?What are the internalcontrols or mitigationmeasures in place tomanage the risks?How do we identify and prioritise risks? How do we monitor the risks and who do we report them to? ASSESSERM ProcessThe ERM Process is a standard, iterative, and continuous 4-step processRISK MANAGEMENT PROCESSThe Group adopts a four-step iterative risk management process aimed at identifying, assessing, managing, monitoring and reporting different types of risks.Risk IdentificationThe management adopts an integrated top-down and bottom-up risk review process to enable comprehensive identification and prioritisation of key risks throughout the Group. Key stakeholders within the organisation will come together to discuss the top-tier risks and examine any other risk issues and emerging risks that they consider important. This ensures a risk approach that is aligned with the Group%u2019s business objectives and strategies, and integrated with operational processes for effectiveness and accountability. The risk identification process includes the establishment of risk context, identification of risk factors, analysis and evaluation of risk levels and their related likelihood and impact on the business performance of the Group. The Group%u2019s risk profile, including key risks, is reviewed and refreshed annually, or more frequently when the business environment warrants. The information is maintained and documented in a risk register, with risks sub-categorised into strategic, financial, operational, compliance and technology. Within the category of operational risk, the Group also considers climate-related risks which are relevant to the business.A five-by-five risk matrix is used as the primary tool to facilitate the prioritisation of risks based on likelihood and impact. Risks are valued on the matrix based on the likelihood of occurrence and magnitude of impact should the risks materialise. The magnitude of impact includes consideration of financial, regulatory, reputational, operational and environmental effects. Parameters representing ESR%u2019s risk appetite and tolerance are also established to guide the evaluation of risks on the matrix. This risk identification exercise monitors any risk changes and trends as well as the effectiveness of the related control mechanisms and/or control activities within the overall risk profile. The Group Risk Management department works closely with the risk owners to identify key risks, assess their likelihood and impact on the Group%u2019s business, and establish corresponding mitigating controls to manage these risks. The Group has also developed internal key risk indicators that serve as an early-warning system to highlight risks that have escalated beyond the agreed tolerance levels. In addition, the management has established required follow-up actions to be taken when risk thresholds are breached. The key risks and key risk indicators are reviewed by management and Audit Committee before they are drawn to the attention of the Board.